Vulnerabilities CISA Adds iOS Flaws From Coruna Exploit Kit to KEV List The nation-state-grade iOS exploit kit targets 23 vulnerabilities affecting iOS 13 to 17.2.1. By Ionut Arghire | March 6, 2026 (8:18 AM ET) Flipboard Reddit Whatsapp Whatsapp Email The US cybersecurity agency CISA on Thursday expanded the Known Exploited Vulnerabilities (KEV) list with five flaws, including three bugs targeted by the nation-state-grade Coruna iOS exploit kit . Coruna contains exploits targeting 23 vulnerabilities in iOS versions spanning four years, namely iOS 13.0 to iOS 17.2.1, but is ineffective against the latest iterations of Apple’s mobile platform. It has been used by multiple threat actors, including the customer of a spyware vendor, a Russian espionage group, and a financially motivated Chinese group. Likely built using ‘second-hand’ zero-day exploits, Coruna fingerprints devices to load the appropriate WebKit remote code execution (RCE) exploit, bypasses various platform mitigations, and injects a payload in the ‘powerd’ daemon running as root. The payload targets the victim’s financial information and can also load additional modules for exfiltrating cryptocurrency wallets and sensitive information from multiple applications. Of the 23 security defects targeted by the exploit kit, 12 have had a CVE identifier assigned. All the exploited issues, publicly disclosed or not, have been patched. Advertisement. Scroll to continue reading. Of the publicly disclosed bugs, nine were previously flagged as exploited, most of them as zero-days. These include CVE-2022-48503 , CVE-2024-23222 , CVE-2023-32409 , CVE-2020-27932 , CVE-2020-27950 , CVE-2023-32434 , CVE-2023-38606 , CVE-2024-23225 , and CVE-2024-23296 . There appear to have been no public reports of the exploitation of the remaining three CVEs, namely CVE-2021-30952, CVE-2023-41974, and CVE-2023-43000, before this week’s revelations of the Coruna iOS exploit kit targeting them. Now that CISA has added all three iOS flaws to the KEV catalog , federal agencies have three weeks to identify within their environments any vulnerable devices and to patch them, as mandated by Binding Operational Directive (BOD) 22-01. On Thursday, CISA also warned that older vulnerabilities in multiple Hikvision and Rockwell products have been exploited in the wild. While BOD 22-01 only applies to federal agencies, all organizations are advised to prioritize the remediation of bugs in the KEV catalog. Related: Google: Half of 2025’s 90 Exploited Zero-Days Aimed at Enterprises Related: Android Update Patches Exploited Qualcomm Zero-Day Related: Apple Patches iOS Zero-Day Exploited in ‘Extremely Sophisticated Attack’ Related: In Other News: iOS 26 Deletes Spyware Evidence, Shadow Escape Attack, Cyber Exec Sold Secrets to Russia Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Cisco Patches Critical Vulnerabilities in Enterprise Networking Products AI Security Firm JetStream Launches With $34 Million in Seed Funding Google Plans Two-Week Release Schedule for Chrome Global Coalition Publishes 6G Security and Resilience Principles Critical FreeScout Vulnerability Leads to Full Server Compromise 1.2 Million Affected by University of Hawaii Cancer Center Data Breach Android Update Patches Exploited Qualcomm Zero-Day Vulnerability in MS-Agent AI Framework Can Allow Full System Compromise Latest News Rockwell Vulnerability Allowing Remote ICS Hacking Exploited in Attacks James ‘Aaron’ Bishop Tapped to Serve as New Pentagon CISO Iranian APT Hacked US Airport, Bank, Software Company Data Security Firm Evervault Raises $25 Million in Series B Funding Google: Half of 2025’s 90 Exploited Zero-Days Aimed at Enterprises Russian Ransomware Operator Pleads Guilty in US Cisco Warns of More Catalyst SD-WAN Flaws Exploited in the Wild Reclaim Security Raises $20 Million to Accelerate Remediation Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Virtual Event: Supply Chain Security and Third-Party Risk Summit March 18, 2026 Join the event where top security experts unpack the biggest software supply chain risks. Register People on the Move Sonalee Parekh has joined SentinelOne as Chief Financial Officer. Chris Butera has been named Acting Executive Assistant Director for Cybersecurity at CISA. Software and firmware supply chain security company Binarly has appointed Gwenyth Castro as its new CEO. More People On The Move Expert Insights Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Security in the Dark: Recognizing the Signs of Hidden Information Security failures don’t always start with attackers, sometimes they start with missing truth. (Joshua Goldfarb) Living off the AI: The Next Evolution of Attacker Tradecraft Living off the AI isn’t a hypothetical but a natural continuation of the tradecraft we’ve all been defending against, now mapped onto assistants, agents, and MCP. (Etay Maor) Why We Can’t Let AI Take the Wheel of Cyber Defense The fastest way to squander the promise of AI is to mistake automation for assurance, and novelty for resilience. (Steve Durbin) Flipboard Reddit Whatsapp Whatsapp Email